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ARTICLE INFO ABSTRACT 

The Nintendo Switch is a popular handheld gaming console that is used for a variety of purposes. The 
most common is that of gaming, however, there are supporting activities such as social networking, 
media consumption and internet connectivity. In this paper, we have detailed the processes that must be 
conducted in order to extract forensic evidence from Nintendo Switch devices. We extracted a number of 
different forensic artefacts from a NAND dump of several Nintendo Switch devices. We discovered 
several key artefacts, notably personally identifiable information, network connection history and dis- 
plays that have been connected. We also assessed the forensic value of each artefact extracted from the 
device. We developed software to automate the process of dumping and extracting the content of the 
NAND memory. Additionally, we developed modules for the forensic software Autopsy and released 


Article history: 


Keywords: 

Nintendo Switch 
Internet-of-things (IoT) 
Digital Forensics 
Console Forensics 
NAND 


Autopsy 


these as open source software to automate the process of ingestion and analysis. 
© 2021 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND 


license (http://creativecommons.org/licenses/by-nc-nd/4.0/). 


1. Introduction 


Video game consoles are used extensively for entertainment, 
socialising and also web browsing. The Nintendo Switch was 
released after Nintendo's previous portable gaming consoles, the 
pioneering Game Boy and subsequent Game Boy DS series. The 
Nintendo Switch is a portable gaming console with 32 gigabytes of 
internal storage, a NVIDIA Tegra processor, and various interfaces 
for internet connectivity and the connection of peripheral devices. 

One reason that the Nintendo Switch is a device worthy of 
forensic analysis, is the fact that the console itself is portable. This 
portability and the identification through certain forensic artefacts 
of location, such as SSIDs, credentials, MAC addresses and con- 
nected displays means that we can identify the previous locations 
of the device and identify the device owner. Another advantage of 
portability is that there is also a greater volume of forensic data 
available, due to the fact that the owner of the device will have it in 
their possession for a longer amount of time and will be engaging in 
activities that generate data for a greater amount of time. 

A motivating factor in any forensic investigation is to be able to 
establish a timeline of activities relevant to an investigation. In 
addition to acquiring temporal data to establish a timeline, the 
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acquisition of geolocation data or data that ties a person to a 
particular address is also useful. We identified forensic artefacts 
that contained such data within the Nintendo Switch and assessed 
their potential value in a forensic investigation. The Switch has 
internet connectivity enabled and keeps a record of all access 
points it has connected to, meaning that a forensic timeline can be 
established for the owner of the device. 

Forensic acquisition capabilities for mobile devices and tradi- 
tional laptop and desktops are well known to cybercriminals. 
Conversely, the ability for law enforcement and other investigating 
bodies to be able to extract forensic evidence from videogame 
consoles may not be as well known to criminals. 

Furthermore, several homicide cases have used rudimentary 
evidence of data from a Nintendo Switch console, the evidence in 
question was messages sent and network connections made, 
respectively (Murphy et al., 2019; Doolan, 2019). As such, our 
provision of the ability to extract forensic data from a common 
device that is present at many crime scenes is a valuable scientific 
and practical contribution to forensic science. 

As with other portable games consoles and the 3DS series that 
preceded the Nintendo Switch, system configuration and other 
data is contained within non-volatile NAND memory. Unlike these 
other consoles, a large amount of user and system data is contained 
within this NAND memory, due to the increased storage capability 
and wide variety of uses that this console has. We deployed an 
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exploit and several other steps to enable the extraction and 
ingestion of data from the NAND memory. 
The specific contributions of this research paper are as follows: 


1. We provided replicable instructions in addition to developing 
and releasing automation tools to enable the extraction of the 
data on the NAND memory from the device. 

2. We conducted evidentiary analysis of forensic artefacts on the 
Nintendo Switch. This enabled us to assess the forensic value of 
artefacts contained within the NAND memory. 

3. We developed Autopsy modules to automate forensic analysis of 
the Nintendo Switch and provide the returned forensic artefacts 
to an analyst. 


The contributions of this research are clear, in that it is the first 
academic paper and research that covers the systematic forensic 
analysis of the Nintendo Switch console. This contribution is 
coupled with our automation of all possible steps, to allow repli- 
cation and extension of this research. 


2. Related work 


Hosani et al. (2020) state that “having the ability to properly 
investigate such devices while reducing the potential of corrupting 
data is crucial”, referring specifically to the Nintendo Switch. 
Similarly, Rogers (2020) refers to the prospect of being able to 
gather forensic data from a Switch as “an essential source of data 
and potential evidence”. 

Existing research papers cover console forensics as a method 
and process. Research by Read et al. (2019) extracted forensic ar- 
tefacts from a NAND dump of the Nintendo 3DS, during the pre- 
sentation of this research the necessity of conducting future 
research on the Nintendo Switch was stated. This follows from 
earlier exploratory work by Read et al. (2018), that proposed a 
methodology for the recovery of forensic artefacts from 3DS de- 
vices. The Wii system, another Nintendo product, has been subject 
to academic forensic analysis by Turnbull (2008). 

Work has been conducted in the field of analysis of NAND 
memory by Fukami et al. (2017). Rabaiotti and Hargreaves (2010) 
described extraction of RAM memory following the deployment 
of an exploit, for the purpose of obtaining forensic evidence. Our 
method is similar, but applied to a different console. 

Despite the popularity of the console, at the time of our inves- 
tigation, no other published forensic research had been made into 
the device and its supporting firmware, regarding the information 
it is possible to extract. This presents a potentially important source 
of information which is currently being unused due to a lack of 
research and tooling. A master's thesis by Lagerholm et al. (2020) 
directly cites the modules we developed and investigates some of 
the forensic artefacts that can be recovered using these modules. 
This thesis also identifies an artefact which we do not, the 
‘Cache.dat’ file, which contains user browsing history on the Nin- 
tendo Shop. 

In this work, we have leveraged a number of open-source tools 
to facilitate the exploitation, extraction of NAND dump and sub- 
sequent forensic analysis of the extracted dump. These tools are 
from the security research community. The modding and home- 
brew community for videogames consoles means that there are 
often a wide variety of exploits available for most videogame 
consoles within a short time after their release. Some companies 
such as Microsoft and Nintendo have pursued aggressive litigation 
against researchers or businesses that have reverse engineered and 
exploited their devices, including a notable recent lawsuit against 
‘Team Xecuter’, who were selling exploitation tools for the Nin- 
tendo switch (Huang, 2003; BBC News, 2020). These tools provide a 
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useful starting point for taking initial steps such as obtaining 
memory dumps of the onboard NAND storage. An example of the 
accumulated knowledge of the homebrew community assisting our 
research, is the SwitchBrew Wiki (2020a) that offers a lot of infor- 
mation regarding the flash file system structure. 


3. Background 


The Nintendo Switch was at the time of writing, the most 
popular portable video games console in the UK market, with 61.44 
million units sold worldwide (Nintendo, 2020). This device is very 
popular and preceding our research there were no precise and 
reliable instructions for forensic analysis; meaning that providing 
the capability for automated extraction of forensic artefacts from a 
Nintendo Switch device may help a large number of investigations. 

The demographics for the user base of the Nintendo Switch are 
people typically under the age of 35 and have a slight majority of 
male users (EEDAR, 2018). Both of these demographics indicate that 
they are the target demographic for cybercrime offenders and 
people veering on the edge of cybercrime (United Nations Office on 
Drugs and Crime, 2013). There can be a crossover between potential 
cybercrime offenders and people who play videogames, as shown 
by research from the National Crime Agency (2017). 


3.1. NAND structure 


The Nintendo Switch stores its data mostly in one of two loca- 
tions, the onboard NAND flash memory and the removable SD card. 
The majority of data that is useful for forensic analysis is located on 
the NAND chip, as can be seen in SwitchBrew Wiki (2020a). We list 
the five key partitions in Table 1. The partitioning scheme used for 
the SD card is MBR, the partitioning scheme used for the NAND is 
GPT. 

Of these partitions it was only the System and User partitions 
that we assessed to contain information of forensic relevance. 
Other partitions contain things such as the boot partitions, key- 
blobs and other low level system elements, therefore being 
comparatively unlikely to contain forensically relevant information 
(SwitchBrew Wiki, 2020a). The directory structure of the System 
partition is shown in Fig. 1 and the directory structure of the User 
partition is shown in Fig. 2. 

Information locations within files in the System partition 
appeared to be the same across devices. However within the User 
partition, filenames and data offsets varied, which required us to 
use pattern matching to extract data. 

Within the save directory of each partition we identified several 
save data files. Each of these files was structured in a proprietary 
format. As a result of this, it was necessary to carve the artefacts of 
interest out of the file. 


3.2. Security of device 
Steps have been taken by Nintendo to prevent exploitation of 


the device. Unlike the 3DS, all userland processes on the device use 
ASLR, making certain avenues of exploitation more difficult. There 


Table 1 

NAND structure. 
Partition Name Details 
USER FAT32 Filesystem 
SYSTEM FAT32 Filesystem 
SAFE FAT32 Filesystem 
PRODINFO Used for System Calibration 
PRODINFOF Used for System Calibration 
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System 
#— PRF2SAFE.RCV 


s— Contents 


registered 
placehld 


— Save 


*— Savemeta 


Fig. 1. System partition. 


are other protections against exploitation such as the use of a 
microkernel, sandboxing of userland applications and the provision 
of ARM's TrustZone (Tanguy et al., 2019). 

Encryption is used in various places on the Switch device. 
Particularly relevant to our research is the use of encryption of the 
NAND, where some of the partitions (including the SYSTEM and 
USER partitions we analyse) are encrypted using AES. To decrypt 
these partitions, we extracted keys using the tool ‘Biskeydump’ 
(Stojadinovic, 2020), which requires exploitation of the Switch 
before it is able to extract these keys. The extracted ‘built-in storage’ 
keys are the keys on the device that are able to decrypt the AES 
encryption of the NAND. However they are derived from the 
device-specific keys, which can only be accessed via exploitation of 
the processor and circumvention of TrustZone, that handles cryp- 
tographic processing on the device. 


4. Method 


The methods we used to obtain forensic evidence from the 
Nintendo Switch device took a multi-staged approach. Several 
methods can be used to extract the NAND dump. The methods we 
chose were taken from the homebrew Nintendo Switch commu- 
nity, that attempts to circumvent copy protection methods and 
hardware security mechanisms of the Switch to run arbitrary code 
and other games. 

We deployed a known exploit (Fusée Gelée) against the NVIDIA 
Tegra processor within the device, to gain remote code execution. 
The aim of this was to enable the Switch system to be able to run 
unverified code. Once unverified code was running on the device, 
we were then able to use open-source tooling to extract the con- 
tents of the NAND memory. Following the extraction of NAND 
memory, we then conducted analysis on the extracted contents. At 
first our analysis was conducted manually, but we developed 
automated tools to facilitate analysis of the extracted NAND 
memory. 


4.1. Creation of test data 


We performed forensic investigations on three used Nintendo 
Switch devices to discover the forensic artefacts which are available 
on the device and provide test data for tool development and 
evaluation. One bought on launch by one of the researchers and 
two used devices with firmware version 7.0.1, that we purchased 
second-hand. 

We then put all the devices through additional usage, similar to 
how they would be used in day-to-day life. The actions that we 
recorded were the installation and downloading of applications, 
connecting and disconnecting from networks, saving games, 
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Fig. 2. User partition. 


creating and deleting accounts, taking screenshots and brief 
gameplay. We conducted this at least once for each action type on 
each device. We also performed other actions, such as interaction 
with the social networking functionality of the Switch, for which 
we were unable to find any artefacts. 

We noted these actions to enable correlation of the validity of 
any future artefacts which were found and to be able to seed the 
devices with enough evidence to ensure artefacts are present on 
the device. Whilst the actions themselves were not identical across 
devices, they created the same artefacts and enabled us to verify 
artefact locations. 

We took care to store all forensic data on an encrypted hard 
drive and disposed of it after concluding our experiments. The hex 
dumps and screenshots contained within the paper are from our 
manually created test data. We do not share parts of this dataset, to 
avoid contravening ethics and data protection law. 

We took copies of the flash memory using the process we 
enumerate in our methods section. We searched for keywords and 
associated strings within the filesystem. Some of these keywords 
are visible in the source code for our Autopsy modules. Following 
identification of a string match, we recorded the filename and 
memory offset or surrounding bytes, to aid in future identification. 
We verified these steps on a second console to ensure files and 
offsets remained consistent, if they were not discovered on a sec- 
ond console we would discard them from our analysis. Our vali- 
dation of our artefact identification on more than one device 
ensures that our results are reproducible. 


4.2. Exploitation 


To extract the flash memory dump, we used an NVIDIA Tegra 
exploit (Nvidia Support, 2018). By using this exploit chain, we were 
able to bypass secure boot and have the ability to run unverified 
code. Some NVIDIA Tegra processors support a Recovery Mode 
which allows a user with physical access to the affected processor's 
USB connection to bypass the secure boot and run unverified code. 
The particular exploit we made use of was the Fusée Gelée exploit 
chain, developed by Temkin (2018). Whilst deployment of this 
exploit chain enables execution of unverified code, it does not 
corrupt or alter the data on the Switch device in the partitions we 
used for analysis. We can see this in the aforementioned vulnera- 
bility disclosure report, in addition to the fact that during this 
exploitation, the data on the partitions we examine remains 
encrypted. 
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To prepare the system to be able to load external code, we 
needed to boot the system into recovery mode by using a physical 
‘Jig’ (Nintendo Homebrew Discord Server, 2020). After we had 
placed the device into recovery mode, we connected the device toa 
computer and verified its recovery mode status by using the tool 
TegraRcmGUI (Eliboa, 2020). 


4.3. Flash memory dumping 


We made use of the Tegra RCM exploit to gain code execution. 
After we had gained code execution, we were then able to execute 
code that extracted the contents of the NAND memory. As part of 
this research we developed automation scripts (Modux Labs, 2020), 
one of which is the DumpNANDPartitition.ps1 script, the execution 
of which is visible in Fig. 3. This script automated the extraction of 
the device's encryption keys using Biskeydump (Stojadinovic, 
2020) and subsequently automated the NAND dump extraction. 
Once arbitrary code execution was achieved, we then extracted the 
NAND dump. 

The process that we followed, precisely, is: 


= 


. We connected the Switch to the PC via USB-C. 

2. We entered the Switch into Recovery Mode (RCM). We accom- 
plished this via powering off the Switch then using a specially 
constructed jig to short pins, then holding down volume up 
button and tap the power on button. The Switch would then 
boot without the Nintendo logo. 

3. We confirmed the device had successfully entered into RCM 
mode by opening TegraRcmGUI. The GUI displayed a green 
screened Switch in the lower left-hand corner. 

4. We then executed the DumpNANDPartition.ps1 script from the 
Windows machine with elevated permissions. This automation 
made use of the open source software ‘Biskeydump’ 
(Stojadinovic, 2020) to extract encryption keys to the local 
machine, for the decryption of data. 

5. We turned the Switch off and turned it on again, causing the 
script to continue to the next stage and check whether the 
Switch is in RCM mode such as in step 2. 

6. The script then injected the memloader payload to the Switch. 

7. We then opened the tool HacDiskMount, requiring us to open 
the mounted memory as a physical drive (UMS disk 0) and 
double click the partition in order to dump it. 

8. Using the keys dumped to ‘.\prod.keys’ on the local machine by 

‘Biskeydump’ in step 4. We entered these keys — BIS KEY 2 


5 E:\project-wario-demos\la. demo-init-—individual> 
Plug in Switch via usb-c in RCM mode to begin key dump 
in32 error 31 during post-smash read op 
egraRcmSmash (64bit) 1.2.1-3 by rajkosto 


anted device not connected yet, waiting 
ooking for devices matching the pattern 
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(Crypt) and BIS KEY 2 (Tweak) into the Crypto (Upper) and 
Tweak (Lower) fields respectively. 

9. Within the directory selected as the ‘Dump to File’ destination, 
there was our extracted binary. The device could now be 
switched off and disconnected. 


4.4. Manual and automated analysis 


Following on from our extraction of the memory dump, we then 
searched for and found artefacts on the system that were of forensic 
interest. At a high level, the data types we were looking for were 
location data, usage times, wireless network data and social con- 
nections. We chose these artefact types as our criteria were to find 
artefacts that may be of interest to an investigator or forensic 
analyst. 

Our process for discovery of forensic artefacts was initially a 
manual keyword search within the NAND dump ingested into 
Autopsy. We set out to identify several items of forensic relevance 
and discover their traces in the dump. Once we discovered key 
words and offsets that identified given artefacts, we then auto- 
mated the process of artefact extraction, via development of Au- 
topsy ingest modules. 


4.5. Autopsy modules 


We initially identified data of interest via manual keyword 
searches within the NAND dumps. When we discovered relevant 
data in a reliable way and were able to repeat its discovery on a 
second device, we then automated their extraction via the devel- 
opment of Autopsy modules. Autopsy is open source forensics 
software, developed by the author of File System Forensic Analysis, 
Brian Carrier (2005), that allows the development of additional 
modules and plugins to augment the capabilities of the software. 

These modular plugins augment the typical use case of Autopsy 
which is the forensic analysis of hard drives. These modules come 
in a number of different subtypes (Basis Technology, 2020). We 
chose to develop ingest modules to automate the extraction of 
forensic artefacts. These modules are run when a new data source is 
ingested and can be re-run manually against already ingested data 
sources. 

We created these modules using version 2.7 of the Python 
programming language. These modules work on extracted NAND 
dumps from any Nintendo Switch for which it is possible to extract 
the NAND dump. 


move .\DumpNAND.psl .\DumpNANDPartition.psl1 
PS E:\project-wario-demos\la. demo-init-individual> .\DumpNANDPartition.psl 


Once the keydump payload has completed, switch off the switch and restart into RCM mode 
ey dump complete, please restart the Switch into RCM mode 

Unknown key ‘pwroffHoldTime' for BOOT section on line 12, skipping 

VID_0955&P1D_7321* 


Opened USB device path \\?\usb#vid_0955&pid_7321#6811a6e85&082#{aa0dbd4 5-3117 -F331-5c49-76bf65225042} 
RCM Device with id 4085010C00000010C40/2D6401101062 initialized successfully! 


Uploading payload (mezzo size: 92, user size: 124720, total size: 190936, total padded size: 192512)... 


Smashing the stack! 
Smashed the stack with a 0x/000 byte SETUP request! 
Switching to command mode due to READY. 


Sending E:\project-wario-demos\la. demo-init-individual\Tools\ums_emmc.scr.img (86 bytes) to address 0x80100000 
Sending E:\project-wario-demos\la. demo-init-individual\Tools\u-boot.elf (4508/79 bytes) to address 0x80110000 


Booting AArch64 with Pc 0x80110000... 

BOOT command sent successfully! Continuing. 
in32 error 31 during post-smash read op 
Mounting NAND. Please wait... 

Starting NAND dump 


Fig. 3. Execution of DumpNANDPartition script. 
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4.6. Autopsy modules structure 


Autopsy modules are built in a standard format which keeps to a 
similar structure: 


e Ingest Module Factory: Creates an instance of the File Ingest 
Module. 

e Ingest Module: Performs the business logic of the ingest mod- 
ule. It is made up of a number of important standard functions: 

e Ingest Module: Startup():Initialisation of the ingest module 
class. 

e Ingest Module: Process():Where all the work of the data source 
ingest module is performed. 


Hex Dump 1 - User Account Details: 


00077FE2 
00078000 
0007801E 
0007803C 
0007805A 
00078078 
00078096 
000780B4 
000780D2 
000780F0 
0007810E 
0007812C 
0007814A 
00078168 
00078186 
000781A4 
000781C2 
000781E0 


00 
22 
35 
42 
22 
40 
65 
61 
6D 
67 
6D 
2C 
3A 
69 
6B 
3A 
00 
00 


00 
65 
61 
22 
61 
78 
41 
74 
64 
73 
80 
67 
30 
69 
3A 
65 
00 
00 


00 
22 
63 
69 
6C 
63 
61 
63 
3A 
72 
E2 
61 
30 
6B 
61 
22 
00 
00 


00 
3A 
22 
6D 
22 
6F 
6C 
73 
74 
65 
80 
67 
31 
65 
6C 
69 
00 
00 


00 
6D 
22 
7A 
22 
75 
73 
6F 
75 
6E 
E2 
22 
30 
22 
65 
47 
00 
00 


00 
61 
72 
6F 
00 
6B 
69 
72 
65 
4E 
80 
3A 
31 
3A 
2C 
6E 
00 
00 


00 
6C 
65 
6E 
00 
22 
73 
54 
2C 
61 
A2 
42 
22 
66 
22 
6F 
00 
00 


00 
22 
69 
22 
00 
22 
65 
72 
6E 
65 
2C 
6E 
22 
6C 
73 
6C 
00 
00 


00 
22 
6E 
22 
00 
6E 
6D 
65 
63 


69 
47 
6F 
65 
61 


00 
00 


e Ingest Module: Shutdown():Performs all the termination ac- 


tions to destroy the ingest module instance. 


These functions form the basis of the Autopsy ingest modules 
that we created during this research. To import the Autopsy Ingest 
modules, the Python files need to be placed in the ‘APPDATA%| 
Autopsy|python_modules’ directory. 


4.7. Example module development: Connected Display Logs 


To exemplify how we developed these Autopsy modules, we 
show an example of one of the simplest artefact extractions, the 
‘Connected Display Logs’ and identify how we automated this 
process. 

To discover the initial location of artefact we used the known 
string ‘Benq’ and conducted a string search for this string. This then 
revealed the model was ‘BenQ GL2460s’. This led to our discovery of 
this string in 2 separate locations, namely: 


1. Following the string ‘EdidBlock’ and preceding the string 
‘EdidExtensionBlock’. 
2. In other seemingly random places. 


Both of these locations were contained within the partition 
/SYSTEM.bin/save/80000000000000d1. 


3A 


4C 
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Listing 1. Python regular expressions to find display data. 


names = names + re.findall("EdidBlock 
»*?\\\\xFo\\\\ x00 C.*?7)\\\.*? EdidExten 
sionBlock", repr(currentBuffer)) 


In order to repeatedly find this data, we chose to investigate the 
first of these locations. We used regular expressions to find any 
occurrences of the strings ‘EdidBlock’ and ‘EdidExtensionBlock’, as 
shown in Listing 1. 


After the Autopsy plugin finds all occurrences of these strings, 
they are returned to the Autopsy interface wherein they are dis- 
played to the analyst. 


00 
64 
3A 
75 
00 
6C 
74 
4D 
6E 
74 
43 
22 
6E 
22 
65 
6E 
00 
00 


00 
22 
22 
72 
00 
79 
74 
61 
61 
6F 
68 
2C 
74 
69 
62 
6B 
00 
00 


00 
3A 
22 
6F 
00 
74 
65 
72 
6D 
E2 
69 
42 
72 
73 
6F 
65 
00 
00 


00 
66 
6C 
4F 
00 
73 
3A 
74 
3A 
E2 
22 
72 
3A 
69 
4C 
3A 
00 
00 


00 
39 |."gender":"male","id":"dfaf9| 
69 |15d374afc","region":"",Blini | 
6E |dB:DB,"timezone":"Europe-Lon| 
00 [n","email":"---------------- | 
72 |-@modux.co.uk","analyticsFor | 
75 |tetnalAnalysisPermitted":tru| 
67 |.akalyticsForTargetMarketing| 
61 |rmitted": true, Bnickname2:"wa| 
E2 |igi","screenName":"to....... | 
GL. Mis vaewe Seca ", BisChild":fa| 
64 |e,"language":"en-GB","birthd| 
42 |.:"2000-01-01", "country": "GB| 
65 |.isKkLinked":false,"isTwitte| 
6B |ikked": false, "isFacebookLink| 
65 |i:false,"isGoogleLinked": fal | 
00 
00 


5. Forensic artefacts 


After extracting the NAND dump, we forensically analysed the 
data. The key objectives of this analysis were to recover as much 
data as was possible from various elements of the filesystem. We 
recovered these forensic artefacts from the extracted NAND dump. 
We list the artefacts that we recovered in Table 2. In this table we 
also list the specific data types discovered and which memory 
partition they were extracted from. This list is not exhaustive and 
there are other artefacts discovered on the dump that we did not 
prioritise investigation of, such as paired ‘Joy-Cons’. We developed 
a number of Autopsy modules that facilitated the automated 
extraction of data from the NAND dumps and subsequent forensic 
analysis of this data (Modux Labs, 2020). We list these modules in 
Table 3 and describe them in more detail in the following section. 

Effect of Factory Reset. We observed that data persisted across 
factory resets for the Nintendo Switch device, meaning that at- 
tempts by a malfeasor to erase any data pertaining to previous 
owners will be ineffective. This can also prevent the success of 
criminals utilising Nintendo Switch devices and attempting to 
obfuscate their behaviour by factory resetting the device. In cases of 
a Nintendo Switch device being stolen, the original owner's details 
would still persist on the device. 
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Table 2 
Forensic artefacts of interest. 


Artefact 


Connected Displays 
Error Logs 

Game Saves 

Gameplay Logs 
Multiplayer User History 
Power On/Off Logs 
Screenshots & Videos 
User Accounts 

Wifi Networks 


Location 


/SYSTEM.bin/save/80000000000000d1 
/SYSTEM.bin/save/80000000000000d1 
/USER.bin/save/ 
/SYSTEM.bin/save/80000000000000a2 
/SYSTEM.bin/save/8000000000000001 
/SYSTEM.bin/save/80000000000000a1 
/SYSTEM.bin/ 
/SYSTEM.bin/save/8000000000000010 
/SYSTEM.bin/save/8000000000000050 
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Available Data 


Connected Displays 

Last 50 Error Codes 

Save Time & Game Title 

Access Time & Game Title 

300 users last played with 

Last Boot Time & Power State Changes 
JPG,.MP4 &.PNG with Timestamps 

Birth Date, Email, Gender & Location 
MAC Addresses, NAT, Passwords & SSIDs 


Table 3 
Autopsy modules list. 


Autopsy Module 


ingest_connected _displays 
ingest_game_history 
ingest_crash_dumps 
ingest_device_accounts 
ingest_gamesaves 
ingest_last_boot 
ingest_mp_user_history 
ingest_power_states 
ingest_screenshots 
ingest_wifi 


Hex Dump 2 - Wireless Details (SSID and PSK): 


0005C850 
0005C86E 
0005C88C 
0005C8AA 
0005C8C8 
0005C8E6 
0005C904 
0005C922 


5.1. User accounts 


We found several items of personally identifiable information. 
This included what is defined as sensitive personal data under the 
GDPR (Information Commissioners Office, 2020b). We discovered 
this data contained within one offset location, containing several 
items relevant to user accounts, including sensitive information 
such as gender, email address and date of birth. We show these 
details, with comparison to the raw hex in Hex Dump 1, with the 
relevant bytes and information highlighted in blue. We have 
amended 16 bytes at the offset of 0007805A to null bytes, to 
maintain the privacy of the subject. 

We developed an Autopsy ingest module that facilitates 
extraction of all the Nintendo Switch's user accounts that have ever 
existed on the device. This module extracted data from the /SYS- 
TEM.bin/save/8000000000000010 file. 


5.2. Wifi networks 


A history of all wireless networks that the Switch device has 
interacted with is available within the NAND dump. The bytes and 
information showing the SSID and PSK are displayed as blue text, 


Returned Artefacts 


All recently connected displays 

Recent game history 

Last 50 crash dumps 

All user accounts saved to device 

All saved games 

Last boot time of device 

Last 300 users played with and game played 
Device power history 

All saved recordings and screenshots 

Details of all WiFi networks recently connected to 


Tochy.ceel 


visible in Hex Dump 2, in the following format: 


< 16 bytes of unknown data > null 


bytes] < SSID > [arbitrary null bytes] < PSK > 


[arbitrary 


We also discovered additional details within the NAND dump, 
that allowed for other details pertaining to the network to be 
discovered. These details are the NAT gateway, MAC addresses and 
SSIDs of relevant routers. 

The forensic value of network access point history in addition to 
other networking information is significant. It allows location to be 
determined and also provides evidence of prior knowledge of a 
Private Shared Key (PSK), if the network is password protected. 

We automated the capability to extract details of wireless net- 
works that have been recently connected to, in addition to other 
network metadata. We also automated the extraction of passwords 
for wireless networks. To accomplish this, we created an Autopsy 
ingest module which discovers the network SSIDs, network PSKs 
and other networking details from the target Nintendo Switch 
device. This module’ accesses file | /SYSTEM.bin/save/ 
8000000000000050. 
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5.3. Error logs 


When errors occurred during the operation of the Nintendo 
Switch, they were saved within the device error history log for 
future reference. We were also able to access the 10 latest error logs 
via the support menu option. Within the NAND flash memory, we 
could view the latest 50 error logs. We observed that Error Logs 
were stored and serialised in MessagePack format (Sadayuki, 2012). 
We used Hactoolnet (Barney, 2020) to extract this information from 
the MessagePack format. 
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5.5. Gameplay logs 


Applications and games for the Nintendo Switch were observed 
to have unique identifiers, such as those referenced by save game 
files (SwitchBrew Wiki, 2020a). It was possible to view the save 
times and details of applications and games that were opened on 
the device. 

We developed an Autopsy ingest module that extracted the 
timestamps of when individual game titles were played. We 
discovered this data within the System partition at /SYSTEM.bin/ 


Hex Dump 3 - Youtube Application Opened: 


00058E90 
00058EA8 
00058ECO 
00058ED8 
00058EFO 
00058F08 
00058F20 
00058F38 
00058F50 
00058F68 
00058F80 
00058F98 
00058FBO 
00058FC8 
00058FE0 
00058FF8 
00059010 
00059028 


95 
2F 
39 
65 
01 
65 
72 
61 
A8 
65 
6E 
30 
63 
32 
A5 
D9 
35 
73 


71 
60 
62 
74 
00 
6E 
61 
70 
65 
63 
5F 
31 
oF 
32 
37 
24 
2D 
73 


FF 
73 
EF 
5F 
3A 
74 
67 
70 
76 
75 
6D 
39 
72 
3A 
2E 
37 
39 
5F 


10 
52 
FO 
69 
40 
A6 
65 
6C 
65 
74 
6F 
2D 
64 
33 
30 
35 
36 
73 


14 
60 
7E 
64 
oc 
6C 
A7 
69 
6E 
69 
64 
30 
65 
36 
2E 
38 
62 
79 


E3 
7C 
6F 
D7 
3D 
61 
73 
63 
74 
6F 
65 
33 
64 
A6 
31 
39 
32 
73 


D8 
FB 
04 
00 
AO 
75 
64 
61 
5F 
6E 
00 
2D 
5F 
6E 
Bl 
38 
62 
74 


8E 
4E 
F3 
01 
00 
6E 
5F 
74 
69 
5F 
AE 
32 
61 
13 
72 
66 
35 
65 


Cl 
2F 
EE 
00 
A4 
63 
63 
69 
64 
68 
6C 
35 
74 
61 
65 
33 
36 
6D 


67 
F3 
40 
7D 
74 
68 
61 
6F 
BD 
69 
63 
20 
B3 
5F 
70 
66 
39 
5F 


2D 
AF 
B1 
66 
79 
A8 
72 
6E 
61 
73 
5F 
31 
32 
69 
6F 
2D 
66 
75 


42 
AE 
69 
OA 
70 
73 
64 
5F 
70 
74 
72 
35 
30 
64 
72 
31 
34 
70 


OE 
10 
8E 
FD 
65 
65 
82 
69 
70 
6F 
65 
3A 
31 
co 
74 
36 
33 
64 


AF 
06 
36 
D5 
A7 
71 
A8 
64 
6C 
72 
63 
32 
39 
AA 
5F 
33 
34 
61 


45 
79 
B6 
8F 
64 
75 
73 
D7 
69 
79 
6F 
32 
2D 
6F 
69 
65 
D9 
74 


9E 
DE 
7F 
A6 
69 
65 
79 
00 
63 
AE 
72 
3A 
30 
73 
64 
2D 
26 
65 


3D 
6D 
85 
61 
67 
6E 
73 
01 
61 
6F 
64 
33 
33 
5F 
65 
34 
72 
5F 


c3 
E9 
D2 
70 
69 
63 
5F 
00 
74 
70 
65 
36 
2D 
76 
6E 
34 
65 
76 


DC 
7F 
35 
70 
74 
65 
69 
00 
69 
65 
64 
AE 
32 
65 
74 
33 
62 
65 


86 
C6 
AQ 
5F 
61 
29 
6E 
00 
6F 
72 
5F 
6E 
35 
72 
69 
30 
6F 
72 


F5 
c9 
74 
69 
6C 
A7 
66 
00 
6E 
61 
61 
63 
20 
73 
66 
2D 
6F 
73 


27 
FO 
69 
64 
A5 
73 
6F 
00 
5F 
74 
74 
5F 
31 
69 
69 
39 
74 
69 


53 
F6 
63 
D7 
65 
74 
89 
10 
65 
69 
B3 
72 
35 
6F 
65 
30 
6C 
6F 


2E 
c9 
6B 
00 
76 
6F 
AE 
25 
78 
6F 
32 
65 
3A 
6E 
72 
32 
65 
6E 


|..:@.=...type.digital.ev 
Jent. launch. sequence) .sto 
|rage.sd_card..sys_info.. 
|application_id......... % 
| .event_id.application_ex 
|ecution_history.operatio 
|n_mode. .1lc_recorded_at.2 
[019-03-25 15:22:36.nc_re 
| corded_at.2019-03-25 15: 
|22:36.nsa_id..os_version 
|.7.0.1.report_identifier 
| .$75898f£3£-163e-4430-902 
|5-96b2b569£434.&rebootle 


We developed an Autopsy ingest module to extract a log of the 
last 50 errors registered by the device. The errors were extracted 
from the /SYSTEM.bin/save/80000000000000d1 file. The external 
dependency ‘hactoolnet’ (Barney, 2020) was used to process much 
of the data. 


5.4. Screenshots and video captures 


We discovered screenshots and video captures taken by users, 
within the NAND dump, that were in.jpg,.mp4 and.png formats. 
The list of game ID hashes to which this ‘Game-ID-hash’ corre- 
sponded could identify the game to which a screenshot belonged. 
These game IDs are listed in the Switch-Screenshots repository 
(Greca, 2020). 

We observed the format of these screenshots to be: 


< Timestamp in £Y%m%d %H%M%S%f > - < Game-ID-hash > jpg 


We developed an Autopsy ingest module to process each of the 
screenshots which were taken on the device. This module parsed 
the title of the game being played at the time of the screenshot, and 
the timestamp of the screenshot itself. 


|ss_system_update_version 


save/80000000000000a2. 

An example application can be seen in Hex Dump 3. The unique 
identifier for the YouTube application 01003A400C3DA000 is high- 
lighted for clarity, this unique identifier can be verified on 
SwitchBrew Wiki. 

In a similar manner to power-on and power-off logs, logs were 
not written to with every gameplay event. As such, data may have 
been missing. 


5.6. Saved Games 


Within the User partition's save directory there were files which 
corresponded to separate game titles that have been played on the 
device. From the last write time of these files it was possible to 
determine the time at which each game had last been saved. 

To extract the game title a given save data file corresponded to, 
we extracted the game ID. We accomplished this via looking at an 
offset of 1752 bytes, to see an 8 byte buffer offset, which was in little 
endian format. These 8 bytes are highlighted in blue in Hex Dump 4. 
We then correlated these 8 bytes to the game ID to identify the 
game in question. 
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Hex Dump 4 - Game Saves Title Identification: 


00000690 
000006A0 
000006B0 
000006C0 
000006D0 
000006E0 
000006F0 
00000700 
00000710 
00000720 


We developed an Autopsy ingest module which extracts the 
state of the save data for each of the game titles which have been 
saved on the device. Each gamesave is stored in an individual file in/ 
USER.bin/save/. The module processes and extracts each game that 
has been played and the last time it was saved. It should be noted 
that some games do not provide timestamps of the last time they 
were saved. 


Hex Dump 5 - Multiplayer User History: 


0005C6BO 
0005C6CO 
0005C6D0 
0005C6E0 
0005C6F0 
0005C700 
0005C710 
0005C720 
0005C730 
0005C740 
0005C750 
0005C760 
0005C770 
0005C780 
0005C790 


5.7. Multiplayer user history 


A list of the previous 300 players that have been played with can 
be found within the NAND dump. Similar to the Saved Games, we 
identified the game ID from its representation. The location of this 
data was within the System partition at /SYSTEM.bin/save/ 
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01 | 
16 -MF Cisis F.$.. 
00 | 
00 | 
01 | 
00 |..) 


0000000000000001 and we show it in Hex Dump 5. These bytes 
corresponding to the game ID are highlighted as red text, shown in 
little endian format. By performing a lookup of the game ID, we 
determined that this game ID corresponds to Splatoon 2. The player 
that was played with, ‘Dranks’, is highlighted as blue text. 

The capability of extracting forensic artefacts showing the last 
players that an individual interacted with, allows the establishment 
of patterns of association. Identifying these patterns is useful in any 
forensic investigation. 


We developed an Autopsy ingest module to extract the latest 
300 Nintendo Switch users which have recently been played with. 
This module used the save data file at /SYSTEM.bin/save/ 
8000000000000001 to extract the users that have been played with 


E Barr-Smith, T. Farrant, B. Leonard-Lagarde et al. 


and the game that was played. 


Hex Dump 6 - Hex Dump of Power State Change: 


00058098 
000580B0 
000580C8 
000580E0 
000580F8 
00058110 
00058128 
00058140 
00058158 
00058170 
00058188 
000581A0 
000581B8 
000581D0 


64 
72 
38 
35 
70 
64 
32 
74 
31 
41 
65 
6F 
B3 
72 


co 
74 
37 
33 
64 
75 
30 
61 
38 
77 
65 
6E 
73 
61 


AA 
SF 
63 
64 
61 
72 
31 
72 
3A 
61 
70 
5F 
79 
74 


6F 
69 
37 
D9 
74 
61 
39 
74 
34 
6B 
82 
69 
73 
69 


73 
64 
2D 
20 
65 
74 
2D 
65 
38 
65 
A8 
64 
74 
6F 


5F 
65 
34 
72 
5F 
69 
30 
64 
B1 
AF 
73 
D7 
65 
6E 


76 
6E 
32 
65 
76 
6F 
33 
5F 
70 
70 
79 
00 
6D 
5F 


65 
74 
66 
62 
65 
6E 
2D 
61 
6F 
6F 
73 
01 
5F 
6D 


72 
69 
66 
6F 
72 
OA 
32 
74 
77 
77 
5F 
00 
73 
6F 


73 
66 
2D 
6F 
73 
AD 
35 
B3 
65 
65 
69 
00 
74 
64 


69 
69 
62 
74 
69 
6C 
20 
32 
72 
72 
6E 
00 
61 
65 


6F 
65 
34 
6C 
6F 
63 
31 
30 
5F 
5F 
66 
00 
74 
00 


6E 
72 
38 
65 
6E 
5F 
37 
31 
73 
73 
6F 
00 
65 
AE 


A5 
D9 
33 
73 
A1 
73 
3A 
39 
74 
74 
89 
10 
5F 
6C 


37 
24 
2D 
73 
35 
74 
31 
2D 
61 
61 
AE 
24 
63 
63 


5.8. Power on/power off logs 


This data was contained within the System partition within the 
binary file /SYSTEM.bin/save/80000000000000a1, in MessagePack 
format. We display this data in Hex Dump 6. Not all power on and 
off events were seen to be stored within the system logs. We 
developed an Autopsy ingest module that extracted the time- 
stamps of when the device was powered on and off. The power 
state changes were denoted in the following format (denoted as 
blue text in the hex dump): 


nc_started_at < timestamp > powerstate_state_start < 
state > powerstate_state_start < state > 


Hex Dump 7 - Connected Display Model: 


00059200 
00059210 
00059220 
00059230 
00059240 
00059250 
00059260 
00059270 
00059280 
00059290 
000592A0 


00 
FF 
19 
50 
00 
00 
31 
1E 
42 
45 
63 


17 
FF 
03 
A5 
01 
2B 
35 
11 
6E 
69 
C4 


We calculated the last boot time by ascertaining the last write 
time of a single file in the System partition. We developed an Au- 
topsy ingest module to process the last time the Nintendo Switch 
was booted. This module made use of the last write time of the 
/SYSTEM.bin/save/8000000000000060 file. 


2E 
37 
36 
5F 
A4 
61 
38 
30 
74 
74 
61 
A8 
68 
5F 
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5.9. Connected Display Logs 


30 
62 
32 
73 
64 
72 
3A 
33 
65 
65 
70 
65 
61 
72 


2E 
38 
37 
79 
61 
74 
34 
2D 
5F 
5F 
70 
76 
6E 
65 


31 
39 
34 
13 
74 
65 
38 
32 
73 
65 
6C 
65 
67 
63 


Bl 
39 
65 
74 
61 
64 
AD 
35 
74 
6E 
69 
6E 
65 
6F 


72 
62 
32 
65 
DE 
5F 
6E 
20 
61 
64 
63 
74 
AE 
72 


65 
31 
63 
6D 
00 
61 
63 
31 
72 
A5 
61 
5F 
6F 
64 


70 
31 
34 
5F 
05 
74 
5F 
37 
74 
53 
74 
69 
70 
65 


6F 
2D 
65 
75 
A8 
B3 
73 
3A 
A5 
6C 
69 
64 
65 
64 


|d..os_version.7.0.1.repo 
|rt_identifier.$7b899b11- 
| 87c7-42££-b483-6274e2c4e 
|53d. rebootless_system_u 
|pdate_version.5.data.... 
|duration. .lc_started_at. 
| 2019-03-25 17:18:48.nc_s 
| tarted_at.2019-03-25 17: 
|18:48.power_state_start. 
| Awake. power_state_end.S1 
Jeep. .sys_info..applicati 
$.event_id 
| .system_state_change.ope 
|ration_mode. .1c_recorded 


Logs of display devices that have been connected to the Nin- 
tendo Switch were stored within the file at /SYSTEM.bin/save/ 
80000000000000d1. In this file, the name of the connected display, 
followed the string EdidBlock and preceded the string Edi- 
dExtensionBlock. We display the location of the display name in Hex 
Dump 7, with the relevant bytes highlighted. We developed an 
Autopsy ingest module that extracts a list of connected displays 
that have been connected to the Switch at any point from this file. 

In a similar manner to the forensic value of wireless network 
connection details, logs of previously connected devices can prove a 
person had previous knowledge and familiarity with a given 
location. 


5 64 69 64 42 6C |pped...E..EdidBl| 
F FF 00 09 D1 CE |lock...........005 | 
5 1E 78 2E 6B 35 |xET....... 5.x.k5| 
0 D1 CO 81 CO 81 |.UU.’.PT.k...... | 
1:02 3A: 80) 18) 7I leca tensrrsprr Eaa ql 
0 00 1E 00 00 00 |8-@X,E..+!...... | 
3 4C 30 OA 20 00 |..T1F01954SL0. .| 
A 20 20 20 20 20 |....2L.S... | 
O 47 4C 32 34 36 | ..... BenQ GL246| 
5 78 74 65 6E 73 |0. ...EdidExtens| 
2 03 22 F1 4F 90 |ionBlock....".0. | 
6. Discussion 


The ultimate goal of digital forensic analysis is to establish a high 
level timeline by automated extraction of artefacts that may be 
forensically relevant (Hargreaves and Patterson, 2012). These 
timelines can then be used to construct pattern-of-life analyses or 
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to analyse the circumstances surrounding a particular criminal 
event. Our development of these tools allows a number of different 
forensic artefacts to be retrieved from the NAND memory of the 
Switch via automatic processing. 

The awareness of the Nintendo Switch as a source of forensic 
evidence may not be considered within criminal threat models. The 
capability for law enforcement to collect evidence from laptops and 
mobile phones is well known. However, the capability for law 
enforcement to collect digital evidence from games consoles is not 
particularly well known. As such, criminals and terrorists use these 
services to communicate, which has allegedly attracted the atten- 
tion of intelligence agencies, as Stevens (2015) has stated. As these 
devices are not included as part of the operational threat model 
there may be richer data that can be extracted. 


6.1. Ethics 


The use of exploitation to extract digital forensic evidence has 
some legal and ethical ramifications. Previous attempts to conduct 
exploitation on the Xbox, were met with lawsuits from Microsoft 
(Huang, 2003). The fact that exploitation of systems is commonly 
associated with criminal computer intrusion may present issues 
when provided in a court, as addressed by police guidance with 
regards to best practices for live acquisition of memory (Association 
of Chief Police Officers, 2012). This is due to verifiable chain of 
custody, that presents issues of data integrity. Write blockers and 
similar technology can be used for traditional file system forensics, 
to prove integrity. Whereas acquisition of forensic evidence ac- 
quired via exploitation may be challenged in court, as it is not 
possible to definitively prove that no evidence tampering has 
occurred. It must also be noted that in this case, the exploit chain 
does not alter the extracted data and the extracted data can be 
considered forensically sound. 

With the extraction of personal data from these devices, it is 
important for us to adhere to the European General Data Protection 
Regulation. Our extraction of personal data from these devices 
should be included within the research exemptions concerning 
personal data, as described by the Information Commissioners 
Office (2020a). We also ensured that any extracted data was 
stored securely and deleted after our research and do not make any 
personally identifiable information public as a result of this 
research. 


6.2. Limitations 


The Tegra exploit that is required to gain code execution on the 
device was patched on a hardware level for all devices produced 
after June 2018. This still leaves all preceding devices vulnerable to 
exploitation. The fact that software required a hardware patch 
means that the vulnerability enabling exploitation and subse- 
quently data extraction will persist indefinitely for these specific 
models. It is likely that subsequent models will be found to have 
vulnerabilities. All the data recovered could be alternatively ob- 
tained through a ‘chip-off, with forensic integrity. But an exploit 
would still need to be deployed against the device to obtain keys for 
decryption. 


6.3. Future work 


There is unlikely to be any mitigation of this exploit for previ- 
ously distributed versions of the Switch as the Tegra bootRom 
exploit was based on an unpatchable hardware bug. However, 
Nintendo did patch the bug on a hardware level for devices released 
after disclosure of the exploit. Additionally, the ingenuity of the 
homebrew community is likely to ensure that future versions of the 
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Nintendo Switch will be exploited. It must also be noted that the 
exploitation of the Nintendo Switch is not solely limited to the 
Tegra exploit. An updated list of vulnerabilities in the hardware and 
software of the Switch is accessible in the SwitchBrew Wiki (2020b) 
and also at GBATemp (2020). 

There are also new consoles being released, such as the Nin- 
tendo Switch Lite, the Switch 2 and other derivative models. As the 
underlying memory architecture will likely be the same, this pre- 
sents an opportunity for future forensic research, building on our 
initial work. 


6.4. Future of console forensics 


As the amount of functionality and therefore provided metadata 
used by portable consoles increases, the capability for effective 
extraction of forensic evidence also increases. 

The extraction of forensic evidence via memory dumps has been 
possible on most mass market consoles. Though the evolution of 
modern memory protection mechanisms such as Address Space 
Layout Randomisation and Data Execution Prevention have made 
exploitation and gaining remote code execution to extract forensic 
data more complex, most mass market consoles to date have been 
exploited. 


7. Conclusions 


We have shown that it was possible to recover data from the 
Nintendo Switch console in the form of a few key forensic artefacts. 
We also evaluated the potential evidential value of these artefacts 
in an investigation. Many of these forensic artefacts persisted be- 
tween factory resets of the device. 

We automated this recovery capability and provided the code 
enabling this extraction through 10 Autopsy ingest modules, 
enabling forensic analysts to replicate our research for criminal or 
corporate forensic investigations. This also allows future forensics 
research to build upon the findings of our research. 

The exploitation, extraction and analysis of forensic data from 
gaming consoles is not entirely novel. However, our instructions 
and tools for the forensic analysis of the Switch are novel and 
provide capabilities for analysts. This method may be applicable to 
other portable consoles released by Nintendo as part of the Switch 
product line. 
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